IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Difference between indexed and non indexed property

    Posted Sun March 01, 2020 09:32 PM
    What is the difference between indexed and non-indexed property of Qradar ? How does indexing make the search for a property faster as compared to an non-indexed property ?

    ------------------------------
    Ipsit Utkarsh
    IBM Security Services
    ------------------------------


  • 2.  RE: Difference between indexed and non indexed property

    Posted Mon March 02, 2020 01:40 AM
    Edited by Roman Mikita Mon March 02, 2020 01:41 AM
    Hi Ipsit,

    to my knowledge, indexed property has assign a number which represent its position in the sorted manner (e.g. alhabeticly) therefor when you search for that property you can use the fact that the properties are sorted and find the one you are looking for in the log(n) time period (n is number of entries in DB of that property and log is logarithm with the base of 2) and you do not have to look on every one entry in DB (which would take n time period).
    Downside to indexing is that it require more memory as the property has now assign number to it. Plus some management.
    There can be some differences as how the QRadar is managing the indexed properties but this is base idea behind it. I hope :D.
    It is recommended to use indexing on properties which you use in your searches a lot. You can find some statistics on utilization of indexing in Index Management accessible in the Admin tap in QRadar.



    ------------------------------
    Roman Mikita
    ------------------------------

    Original Message


  • 3.  RE: Difference between indexed and non indexed property

    Posted Tue March 03, 2020 07:56 PM
    Hi Ipsit,

    QRadar stores its event records in files representing 1 minute's worth of time. At the same time that it writes out an event record file, it writes out index files for that minute for any indexed properties (one file per property). At the end of each hour, we "roll up" the minute indexes into an hourly index. The index files contain a list of each unique value for the property, and for each of those unique files, a reference to which event records in the corresponding record file contain that value.

    For non-indexed properties, if the property is used in a search filter criteria, we need to read each record in each file that matches the search's time range, checking the value of the property to see if it matches the filter.

    For indexed properties, we don't need to read the event record files, we just check the index and know exactly which records match the search criteria for that particular property. If a search contains criteria for multiple indexed properties, we can cross reference which event records have values which match both criteria, so again we don't need to actually scan the record files.

    Cheers
    Colin


    ------------------------------
    COLIN HAY
    ------------------------------

    Original Message


Related Content